CN-121984764-A - Dynamic and static analysis combined NAS equipment vulnerability detection method

Abstract

The invention discloses a dynamic and static analysis combined NAS device vulnerability detection method, which comprises the steps of executing full-function operation in a local area network environment, capturing and recording plaintext communication information, and executing full-function operation on network attached storage equipment in the local area network, capturing plaintext traffic of communication between a client and equipment through man-in-the-middle attack. The method comprises the steps of manually checking flow, marking a user identity in a message and a message operation sequence with a dependency relationship, automatically mutating key fields in the message according to mutation rules of three loopholes of preset command injection, memory damage and improper access control, replaying to NAS equipment, carrying out protocol fuzzy test on the equipment, detecting whether the protocol fuzzy test is successful or not by monitoring response time length, response state and internal state of the NAS equipment, and extracting firmware files from the NAS equipment by utilizing the loopholes found in the fuzzy test.

Inventors

• YU LE
• WANG JINCHENG
• REN GUANGYUE
• CAO SICONG
• HU MINGZHE
• HAN LIPING

Assignees

• 南京邮电大学

Dates

Publication Date

20260505

Application Date

20260209

Claims (7)

1. 1. A dynamic and static analysis combined NAS equipment vulnerability detection method is characterized by comprising the following steps: step one, in a local area network environment, performing full-function operation through APP, web, PC clients of network attached storage equipment, and capturing and recording plaintext communication messages; Step two, automatically mutating key fields in the message according to mutation rules of three loopholes of preset command injection, memory damage and improper access control, replaying the key fields to NAS equipment, and carrying out protocol fuzzy test on the equipment; detecting whether the protocol fuzzy test is successful or not by monitoring the response time length, the response state and the internal state of the NAS equipment; Extracting a firmware file from the NAS device by utilizing the loopholes found in the fuzzy test; Fifthly, reverse engineering is carried out on the extracted firmware, binary files are positioned, vulnerability causes are verified through data flow analysis and robustness detection, and other vulnerabilities are deeply detected; And step six, manually verifying and reproducing the detected loopholes.
2. 2. The method of claim 1 wherein the ambiguity test step includes a mutation of the command injection vulnerability including a direct injection mode and a pairing injection mode, the direct injection mode being a mode of inserting a command string containing Shell meta-characters into a message field, the pairing injection mode being a mode of identifying an operation message pair with timing association, injecting malicious content into a preamble message and transmitting, and then transmitting a subsequent message to trigger the vulnerability.
3. 3. The method of claim 1, wherein the fuzzing step includes mutation of memory corruption vulnerabilities including buffer overflow vulnerabilities, type confusion vulnerabilities, and null pointer dereferencing vulnerabilities, wherein the overlength strings are injected into the fields for the buffer overflow vulnerabilities, wherein the type confusion vulnerabilities are data types of modified message fields, and wherein the null pointer dereferencing vulnerabilities are deleting or nulling a certain field in the message.
4. 4. The method of claim 1, wherein the fuzzy test step includes a mutation of the improper access control hole including an identity verification defect hole, a directory traversal hole, and an external USB device symbolic link hole, deleting or replacing the identity field for the identity verification defect hole, verifying whether the permission is defective, inserting a directory traversal sequence into the path field for the directory traversal hole, verifying whether the internal system directory or other user's file space is accessible or operable, and verifying whether the corresponding directory is unauthorized to be accessed or operable by creating a symbolic link pointing to the internal system directory for the external USB device symbolic link hole.
5. 5. The method of claim 1, wherein the vulnerability monitoring step includes monitoring NAS devices, including monitoring a device response duration, monitoring a device response state, and monitoring an internal state of the devices, where the device response duration is that the devices do not respond, or the response duration exceeds a threshold value, indicating that a vulnerability has been triggered, the device response duration is that the memory is damaged, indicating that the vulnerability has been triggered after a message is resent or an error code appears, indicating that the vulnerability has been triggered when a status code in a message body has not changed in response to an improper access control vulnerability, and the internal state of the devices is that a monitor is placed in an internal system of the devices, and continuously monitors a running process through ps commands, and indicating that a certain process always running steadily in the system has disappeared or a process number has changed after the mutated message is replayed.
6. 6. The method of claim 1, wherein the firmware extraction step is performed by at least one of executing a system command export firmware using a command injection vulnerability, accessing a system directory using a directory traversal vulnerability to obtain a critical binary file, or exporting a complete system file using an external USB device symbolic link vulnerability.
7. 7. The method of claim 1 wherein the reverse analysis step uses manual reverse analysis to focus on code behavior, including locating dangerous sink functions for command injection holes and buffer overflow holes, using a backward dirty analysis flow, then cross referencing continuously, determining if user-controllable data reception points can be eventually reached, and for type confusion, null pointer dereferencing holes, focusing on JSON parsing user-supplied data, whether data types of each level are strictly determined to be satisfactory before parsing, and focusing on directory traversal problems, processing functions corresponding to URI interfaces related to file processing, and some system-level or packaged file operation functions that are invoked.

Description

Dynamic and static analysis combined NAS equipment vulnerability detection method Technical Field The invention belongs to the field of information security, and particularly relates to a dynamic and static analysis combined NAS equipment vulnerability detection method. Background With the popularity of network attached storage (Network Attached Storage, abbreviated: NAS) devices in homes and businesses, security problems are becoming increasingly prominent. An attacker can acquire device control rights, steal sensitive data or launch denial of service attacks by utilizing loopholes such as command injection, memory damage, improper access control and the like existing in the NAS. Currently, for vulnerability detection of NAS devices, most NAS devices do not provide firmware or command line access interfaces, and only can perform black box testing through traffic communicated between the devices and various clients, so that it is difficult to cover hidden interfaces or vulnerabilities triggered by specific conditions. The existing static analysis tool for the firmware of the Internet of things mainly aims at simple and small-sized equipment such as routers, cannot effectively process complex concurrent codes written in languages such as Go and C++ commonly used in NAS equipment, and has high false alarm rate and serious path explosion problem. NAS equipment relates to multiple functions such as file operation, user authority management, peripheral access and the like, the vulnerability is complex, and a single testing method is difficult to cover the whole area. Therefore, there is a need for a systematic detection method that can combine dynamic testing with static analysis to comprehensively and accurately identify multiple types of security vulnerabilities in NAS devices. Disclosure of Invention In order to achieve the purpose, the technical scheme of the invention is as follows, the dynamic and static analysis combined NAS equipment vulnerability detection method comprises the following steps: Step one, in a local area network environment, performing full-function operation through APP, web, PC client sides of NAS equipment, and capturing and recording plaintext communication messages; In the local area network, the NAS equipment is fully operated through the matched APP, web, PC end, and the plaintext traffic of the communication between the client and the equipment is captured through man-in-the-middle attack. The flow is checked manually, and the user identity in the message and the message operation sequence with the dependency relationship are marked, such as creating file-renamed file, uploading file-mobile file. Step two, automatically mutating key fields in the message according to mutation rules of three loopholes of preset command injection, memory damage and improper access control, replaying the key fields to NAS equipment, and carrying out protocol fuzzy test on the equipment; detecting whether the protocol fuzzy test is successful or not by monitoring the response time length, the response state and the internal state of the NAS equipment; Extracting a firmware file from the NAS device by utilizing the loopholes found in the fuzzy test; Based on the captured flow information, automatically mutating the message field according to a preset mutation rule, sending a mutation message to the equipment, and primarily identifying the potential security hole by monitoring the response and the internal state of the equipment. Fifthly, reverse engineering is carried out on the extracted firmware, binary files are positioned, vulnerability causes are verified through data flow analysis and robustness detection, and other vulnerabilities are deeply detected; And step six, manually verifying and reproducing the detected loopholes. And extracting firmware from the device by using the discovered loopholes, positioning the key binary file through reverse engineering, performing data flow analysis and robustness detection, and checking whether other untriggered loopholes exist in the firmware while confirming the existing loopholes. Preferably, the fuzzy test step comprises variation of command injection holes, wherein the variation comprises two modes of a direct injection mode and a pairing injection mode, the direct injection mode is to insert a command character string containing Shell meta-characters into a message field, the pairing injection mode is to identify operation message pairs with time sequence association, inject malicious content into a preamble message and send the preamble message, and then send a subsequent message to trigger the holes. Preferably, the fuzzy test step includes mutation of memory damage loopholes, including buffer overflow loopholes, type confusion loopholes and null pointer dereferencing loopholes, in which overlong character strings are injected into fields for the buffer overflow loopholes, data types of message fields are modified for the type confusion loopholes, an